If a shared secret is available, each webhook request includes a X-Nexudus-Hook-Signature header which is generated using the app's shared secret along with the data sent in the request.
The following JSON code is used to generate the hash header:
var wr = GetWebRequest();
var dataString = JsonConvert.SerializeObject(new[] { dto });
//Calculate signature hash
var sharedSecret = GetSharedSecret();
if (!string.IsNullOrEmpty(sharedSecret))
{
var encoding = new System.Text.ASCIIEncoding();
var keyBytes = encoding.GetBytes(sharedSecret);
var hmacsha256 = new HMACSHA256(keyBytes);
var messageBytes = encoding.GetBytes(dataString);
var hashBytes = hmacsha256.ComputeHash(messageBytes);
var hash = ByteToString(hashBytes);
wr.Headers.Add("X-Nexudus-Hook-Signature", hash);
}
string ByteToString(byte[] buff)
{
string sbinary = "";
for (int i = 0; i < buff.Length; i++)
sbinary += buff[i].ToString("X2"); // hex format
return sbinary;
}
To verify that the request came from Nexudus, compute the HMAC 256 digest and compare it with the value in the X-Nexudus-Hook-Signature header. If they match, you can be sure that the webhook was sent from Nexudus and the data has not been compromised.